Friday, February 21, 2014

Widespread Vulnerability Found in Dozens of Government 'Open Data' Websites [Updated]

    At first glance, a page on the Health and Human Services (HHS) website seems to be giving that agency's official advice on the "The Health Benefits of Nootropics," a classification of purportedly memory-enhancing drugs.  The page is found on the website's subdomain of the Assistant Secretary for Planning and Evaluation (ASPE) as part of the Health System Measurement Project.  The page contains the official logo of HHS, the domain in the URL ends with the legitimate HHS address containing "hhs.gov", and the "https://" indicates the connection is even a secure one.  Further down the page, there is even a link to a website selling related products.  A partial screenshot of the profile page at HHS.gov appears as follows:

    Similar pages on the site offer information and counsel on shampoo, surgery, and health issues suffered by computer users.  However, in spite of all the apparently reassuring elements and features of these pages, Health and Human Services had nothing to do with their creation or content, and does not recommend or endorse either the information or the linked products.
    Nevertheless, while the pages are not official HHS information, neither are they technically cases of hacking.  Rather, the creators have exploited a weakness in the "open data" system used by dozens of government websites.  The platform was developed by a company called Socrata.  The system allows users to create profiles and then manipulate data tables that various governments (federal, state, local) host on their websites.  The results can be shared with others for statistical analysis, research, and other purposes, as some users have done. However, in cases like the ones above, a profile page itself can be used to promote a product or information in a way that gives viewers the impression that the host government entity approves or even endorses.  A legitimate looking link could even be included in an email to direct recipients to what they may easily perceive as government-provided information.
    THE WEEKLY STANDARD first reported this opening in January when some internet marketers had created profiles at data.healthcare.gov, the federal government's Obamacare website.  Within a day  after the story ran, Healthcare.gov disabled public access to profiles created for its data site.  At the time, David Kennedy, the CEO of TrustedSec, an information security firm, remarked that the opening could allow scammers to fool users with a "website that’s legitimate to make them believe its something else," and that "an attacker can basically create a functioning website and host any content they want there and under the umbrella of healthcare.gov."
    Use of the profiles can be especially effective since the profiles contain no disclaimers that the government entity does not endorse the content, and there are no warnings when clicking on links that "you are now leaving the website for an external site", a common warning on government sites.
    Health and Human Services is not the only government agency at risk.  The White House announced "Project Open Data" in May 2013 with dozens of federal agencies and sub-agencies taking part.  As recently as January 14, the White House released a Fact Sheet on the White House Safety Datapalooza,  an initiative to safeguard government data that is "part of the Administration’s larger commitment to unleash the power of open data."
    Other examples of profiles such as the one above are numerous, including other federal agencies, plus state, county and local governments.  The products and information being pushed range from private loans to debt consolidation to even "artificial turf":

    Each of the pages above (and dozens of others discovered in the preparation of this story) contains a link to an external website that is obviously not an officially sanctioned site by the government host, but neither are there any disclaimers to warn potential viewers.  The pages appear to violate the Terms of Service of the Socrata platform since "[u]nsolicited promotions, political campaigning, advertising or solicitations" are prohibited.
    More malicious sites could be used for data harvesting or even identity theft since scammers are able to trade on the credibility conferred by the official government websites that host these profile pages.  THE WEEKLY STANDARD has no direct evidence that such activity has yet taken place via an "open data" website, but at this point, clearly the door is wide open to such abuse.  
   An email to an official at Data.gov seeking comment was referred to another official who has not yet responded.  An emailed request to Socrata for comment was initially returned Tuesday evening with a promise of a response, but so far, no additional response has been received.

UPDATE: By the end of the day on Thursday, public access to Socrata profiles had been disabled.  Clicking on links to the profiles now redirect users to a login page.  Neither the government nor Socrata ever acknowledged the vulnerability nor issued any statement regarding the issue despite earlier promises to respond.  Tim Cashman, a Senior Content Strategist at Socrata, initially responded to an email Tuesday night with a promise to "be in touch with a response shortly", and Steven Gottlieb, a Socrata PR contact, and Bill Glenn, VP of Marketing, were both cc'd on his reply.  Several followup emails to all three Socrata representatives, however, were ignored.

Note: A version of this post, before the update, first appeared at The Weekly Standard.

No comments:

Post a Comment